This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).

I think that what Thom means by the term PPA is the distribution's official repositories. PPA stands for Personal Package Archive and I don't see the reason why someone cannot make available some malicious code (probably hidden inside an otherwise useful application) through their PPA.

PPAs are not distribution repositories, they are outside of that system. Use them at your own risk, because they are not audited by anyone associated with your Linux distribution.

Being outside of the distribution means that PPAs are no more trustworthy than downloading a package using a web browser and installing it manually.